Summary of the invention
For solving the problem existing for above-mentioned prior art, the present invention proposes the user safety management method in a kind of cloud computing platform, comprising:
In rule base, by creating multiple management interface, management mode is decomposed, and based on the role group of user domain, logic isolation is carried out to multiple user.
Preferably, the multiple management interface of described establishment, comprises further:
Management interface, safety management interface and log management interface is increased at management domain; Wherein, described system management is used for managing virtual resource, completes establishment, distributes the operation of resources of virtual machine; Described safety management has been used for authorizing and the configuration of secure virtual machine access rule, will be moved in special trusted context virtual machine by original management domain; Described log management is used for the running status from virtual machine monitor layer record upper-level virtual machine, comprise the user name of executable operations, destination server ID, operating state, whether authorize, VME operating system error code etc., query interface is provided and prevents daily record to be tampered;
The described role group based on user domain carries out logic isolation to multiple user, comprises further:
Described access rule is based on each user, by using unique user domain safety label, mark the resource that the virtual machine of all users is relevant with user domain, utilize arbitration monitor according to the user isolation rule of accesses rule base, resource sharing between monitoring virtual machine and the communication between virtual machine, to realize the logic isolation based on user domain, and limitation management person checks the private data of user domain;
Described virtual machine comprises monitoring agent, be arranged in the driving of virtual machine when creating virtual machine, obtain interior views for the module loading monitored in virtual machine, whether had by multi views contrast supervision virtual machine internal and there is Malware, when restoration is indicated, by supvr in trusted context virtual machine to virtual machine transmit operation instruction, prevent virtual machine internal from occurring to attack the action of other users; Based on the operation intercepting of virtual machine monitor to upper-level virtual machine, in trusted context virtual machine, dispose virtual machine kernel integrity monitoring module, the security component in trusted context virtual machine and monitoring agent all meet the access rule in rule base to the access of virtual machine internal resource;
The safety control module in virtual machine monitor is utilized to provide general access mechanism and safe hook function interface, run after virtual machine monitor starts, add hook function in safety control module after, event channel is there is when between territory, authorization list, during memory-mapped operation, safety control module is tackled these and is called and resolve call parameters, therefrom obtain main body, object and operational attribute, access execution module judges, only meet the access rule ability executable operations in rule base, for the protection of virtual machine monitor self, the integrity measurement mechanism based on credible platform module is then utilized to carry out integrity measurement,
The role of definition supvr and user, distribute the authority based on safety label, described access rule defines the access rule between territory, management based on user role is implemented to user domain, grouping isolation rule based on user domain is provided simultaneously, the virtual machine with same subscriber label is divided in same territory and carries out system and safety management, specifically comprise:
1) when management domain or other territories of user domain request access, described safety control module tackles these requests, analyzes the main body of asking, object and action type;
2) described safety control module is by these request forwarding to execution module, returns result of determination by execution module according to accesses rule base;
3) result of determination allowing/refuse is turned back to described safety control module by execution module;
4) according to result of determination, if allow, then described safety control module allows the access of main object, otherwise does not allow this request of access.
The present invention compared to existing technology, has the following advantages:
The present invention proposes the user safety management method in a kind of cloud computing platform, security service is separated from management domain, prevent cloud platform management person from distorting or stealing privacy of user, the resource sharing between flexible control and management user.
Embodiment
Detailed description to one or more embodiment of the present invention is hereafter provided together with the accompanying drawing of the diagram principle of the invention.Describe the present invention in conjunction with such embodiment, but the invention is not restricted to any embodiment.Scope of the present invention is only defined by the claims, and the present invention contain many substitute, amendment and equivalent.Set forth many details in the following description to provide thorough understanding of the present invention.These details are provided for exemplary purposes, and also can realize the present invention according to claims without some in these details or all details.
An aspect of of the present present invention provides the user safety management method in a kind of cloud computing platform.Fig. 1 is according to the user safety management method process flow diagram in the cloud computing platform of the embodiment of the present invention.
The dummy machine system that the present invention is based on cloud platform provides isolation based on user grouping and trusted context virtual machine, to carry out management and the Malware monitoring of cloud platform, physical host in cloud platform is implemented to the access in rule-based storehouse, prevent malice supvr from threatening the private data of user virtual machine from management domain, prevent virus and malicious code to be diffused into other users from a user, alleviate privacy of user and conflict with the safety rule between platform provider.
1) revealed virtual machine privacy information to alleviate user, first the present invention eliminates the authority of existing platform management person, stops supvr by the internal data of technological means calling party virtual machine, limits its operation to user virtual machine.By the access rule in rule-based storehouse, original management mode is decomposed, the management interface that 3 new is provided: system management, safety management and log management.
2) by adding accesses rule base to user, realizing the logic isolation based on user role grouping, preventing virus and malicious code to be diffused into other users.
3) the present invention creates a special trusted context virtual machine, mandate, access rule configuration, degree of belief is proved and the function such as monitoring moves to trusted context virtual machine from management domain.Avoid management domain to the interference of security function.
The privileged operation of limitation management person is one of key point of dummy machine system of the present invention.In addition, also needing to create multiple role of manager at management domain, thus realize being separated management mode to the authority in cloud platform, is the management interface that management platform provides safety to strengthen.The present invention, by increasing system, safety and log management interface at management domain, realizes the separation to management domain administration authority.Wherein, system management is mainly designed to managing virtual resource, completes establishment, distributes the operations such as resources of virtual machine; Safety management has been used for authorizing and the configuration of secure virtual machine access rule, moves in special trusted context virtual machine by original management domain; Log management is from the running status of virtual machine monitor layer record upper-level virtual machine, comprise the user name of executable operations, destination server ID, operating state, whether authorize, VME operating system error code etc., not only provide similar query interface that daily record can also be prevented to be tampered.
Under multi-user mode, need the application scenarios according to different user, the security service of satisfied different safety rule, logic isolation, in-service surveillance is provided.In order to simplify safety management, the present invention is based on user domain construction logic partition method, Secure Manager no longer monitors single virtual machine and virtual resource, but manages the operation of whole user domain based on user role.Isolation rule of the present invention, based on each user, by using unique user domain safety label, can mark the resource that the virtual machine of all users is relevant with user domain.The Main Function of arbitration monitor is arbitration, according to the user isolation rule of accesses rule base, resource sharing between monitoring virtual machine and the communication between virtual machine, thus realize the logic isolation based on user domain, and limitation management person checks the private data of user domain.
In framework of the present invention, the monitoring agent in virtual machine does not obtain the private data of user, and meets the safety rule of accesses rule base, when creating virtual machine through user and supplier by mutual consent after be arranged in the driving of virtual machine.The Main Function of agency is module loading in monitoring virtual machine and obtains interior views, and the method that contrasted by multi views monitors whether virtual machine internal has and there is Malware.When needing to repair, supvr can to virtual machine transmit operation instruction in trusted context virtual machine, and the action preventing virtual machine internal from other users occurring to attack occurs.Based on the operation intercepting of virtual machine monitor to upper-level virtual machine, can dispose other such as virtual machine kernel integrity monitoring modules in trusted context virtual machine, the security component in trusted context virtual machine and monitoring agent all meet the access rule in rule base to the access of virtual machine internal resource.
The function of the authority in control and management territory is put in virtual machine monitor and realizes by the present invention.The safety control module provided in virtual machine monitor is provided.This module provides general access mechanism and safe hook function interface flexibly, runs after virtual machine monitor starts.Add hook function in safety control module after, when there is the associative operations such as event channel, authorization list, memory-mapped when between territory, safety control module is tackled these and is called and resolve call parameters, therefrom obtain main body, object and operational attribute, access execution module judges, the access rule only met in rule base could executable operations.For the protection of key safety control module and virtual machine monitor self, then the integrity measurement mechanism based on credible platform module is utilized to carry out integrity measurement.
In control of authority rule of the present invention, the supvr in management domain is prohibited to initiate security related operations to user domain, and does not allow any supvr to have the authority of creative management account.If other leading subscribers, then implement to force access to leading subscriber according to Role Dilemma and access list rules.The Resourse Distribute associative operation in system management and utilization original system management software completing user territory, but the page information having distributed to user domain can not be checked.Safety management provides other users of cloud subscriber authorisation to access the authority of oneself shared drive, and by the access rule of the tool configuration rule base that is arranged in trusted context virtual machine.Log management is by the event hook in amendment virtual machine monitor, and interpolation daily record and query interface realize, and access rights are subject to the safety rule protection in rule base, so just achieve the management mode that authority is separated.
In execution module of the present invention, Role Dilemma is the module of a based role, for defining the role of supvr and user, distributes the authority based on safety label, and specifies that system, safety are separated with the authority of log management role.The access rule between territory is defined in access list rules, so that implement the management based on user role to user domain, grouping isolation rule based on user domain is provided simultaneously, the virtual machine with same subscriber label is divided in same territory and carries out system and safety management.The present invention is mainly divided into 4 steps to the browsing process of authority:
1) when management domain or other territories of user domain request access, secure virtual machine control module tackles these requests, analyzes the main body of asking, object and action type;
2) secure virtual machine control module is by these request forwarding to execution module, returns result of determination by execution module according to accesses rule base;
3) result of determination allowing/refuse is turned back to secure virtual machine control module by execution module;
4) according to result of determination, if allow then secure virtual machine control module to allow the access of main object, otherwise, do not allow this request of access.
The design of virtual machine monitor achieves the isolation to virtual resource (as: LAN (Local Area Network), disk, internal memory or CPU), can implement access to the information flow between virtual machine.The present invention improves existing virtual resource partition method, utilizes the arbitration of safety control module limit gerentocratic authority and split on the one hand, realizes the management mode that authority is separated.Another aspect marks the virtual machine of different user grouping correspondence and resource, makes the virtual machine of oneself correspondence of each user and resource have unique ID and identical type, and these marks are by virtual machine monitor unified management.Safety control module uses these marks to mate with accesses rule base, if subject and object has identical type, and meets access rule, then allow communication or shared resource.
Inner at user domain; the present invention utilize memory address space switch and CPU forbid execute flag position; a kind of internal memory partition method of lightweight is provided in virtual machine monitor layer; client computer kernel stack is protected when module performs; the kernel module of expansion is performed at its oneself address space; the blocked operation of address space is then subject to the monitoring of virtual machine monitor; can check whether in virtual machine in virtual machine monitor layer the operation having and destroy kernel integrity, and isolate the execution environment of insincere module.
Considering the secret protection of user, except adding the access rule based on user role grouping in rule base, also needing the secret protection for specific user to provide the support of safety rule.Therefore, in the execution module of dummy machine system of the present invention, also realized the safety rule of a series of customization by access list, can designated user which data can not by other virtual machines even management domain access.
In dummy machine system of the present invention, by safety management and service function transplanting in special trusted context virtual machine.Achieved by amendment virtual machine monitor source code and add this new virtual machine type of trusted context virtual machine, and the authority of safety rule in trusted context virtual machine configuring virtual machine monitor is provided, forbid the safety rule in the virtual machine amendment virtual machine monitor in other territories simultaneously, the access of other virtual machines to trusted context virtual machine can be limited to the isolation of internal memory, file system.
Use virtual credible platform module technology, on the basis of existing chain-of-trust, by providing virtual credible platform module as the trusted root of trusted context virtual machine for virtual machine, trust chain is delivered to trusted context virtual machine internal from bottom physical trusted platform module, thus realizes trusted context virtual machine internal integrity measurement.Utilize the degree of belief provided after disposing to prove result, make platform provider and user can will prove the foundation of result as mutual trust.
In current trusted context secure virtual machine service function, except platform degree of belief proves function, additionally provide the Malware monitoring based on cross-view contrast and processing capacity.Below for monitoring function, illustrate that security function is transplanted to the system architecture after trusted context virtual machine from management domain and is realized.
The monitoring modular of trusted context virtual machine is formed primarily of control module, monitoring means and Malware processing unit.
1) control module: control module is positioned at the application layer of trusted context virtual machine, the function library utilizing virtual machine monitor to provide and virtual machine monitor and user domain carry out alternately.Its function mainly comprises: show the safe chained list of each user domain, show malware attacks situation suffered by each user domain current, send Malware corresponding to instruction process to Malware processing unit.Here, the effect of safe chained list is the module information storing user virtual machine, and the safe chained list being positioned at virtual machine monitor layer has higher confidence level, and the module view information of user virtual machine layer can be prevented to be destroyed.
2) monitoring means: monitoring means is deployed in virtual machine monitor layer, comprises covered code monitoring and privacy information monitoring.The covered code existed in covered code monitoring virtual machine; Privacy information monitoring means monitoring Malware distorting system kernel privacy information, and recovered in time when monitoring and being attacked.
3) Malware processing unit: Malware processing unit is deployed in the kernel spacing of user domain, the monitoring agent in dummy machine system of the present invention is embedded into as a functional unit, realize carrying out alternately with control module, the order of reception control unit provides Information recovering and module to unload to the Malware monitored.
In sum, the present invention proposes the user safety management method in a kind of cloud computing platform, security service is separated from management domain, prevent cloud platform management person from distorting or stealing privacy of user, the resource sharing between flexible control and management user.
Obviously, it should be appreciated by those skilled in the art, above-mentioned of the present invention each module or each step can realize with general computing system, they can concentrate on single computing system, or be distributed on network that multiple computing system forms, alternatively, they can realize with the executable program code of computing system, thus, they can be stored and be performed by computing system within the storage system.Like this, the present invention is not restricted to any specific hardware and software combination.
Should be understood that, above-mentioned embodiment of the present invention only for exemplary illustration or explain principle of the present invention, and is not construed as limiting the invention.Therefore, any amendment made when without departing from the spirit and scope of the present invention, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.In addition, claims of the present invention be intended to contain fall into claims scope and border or this scope and border equivalents in whole change and modification.